Vulnerability management solution Tripwire IP360 provides visibility into your network, both on-premises and in the cloud, including all devices and their associated operating systems, applications, and vulnerabilities. The Tripwire Vulnerability and Exposure Research Team (VERT) keeps Tripwire IP360 up-to-date with accurate, non-intrusive discovery signatures that are current and relevant to large organizations.
To import your data from Tripwire IP360 to the Cisco Vulnerability Management module, you will need to use the Tripwire Connector under the Vulnerability section in the Cisco Vulnerability Management UI.
The Connector is a full run connector, unless the scan_type is a Partial Scan. Then Cisco Vulnerability Management will pick up the full report from the partial scan and upload that data.
Prerequisites
-
Since Tripwire is an API Connector, the service account you wish to leverage must have access to the Tripwire API.
-
Your service Account must also have access to all the scan data that you want to import.
- If your Tripwire scanner is on premises you will need to have the Virtual Tunnel set up prior to attempting to run the connector.
- If you do not have the Virtual Tunnel set up and your scanner is on-premises, the connector will fail.
Configuring your Tripwire Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Tripwire API.
4. On the IP360 API page, enter the following information:
- Name: Enter a name for the connector, or leave it as IP360 API.
- Username: Enter the username for the account,
- Password: Enter the password for the account,
- Host: Enter the Host information. If your host is static, enter the IP address and the port number. If your host is dynamic, enter the DNS and port information.
- Schedule: Select the frequency that you’d like your Connector to run. (Cisco recommends mirroring the cadence of your Tripwire Scans).
- Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans).
- Use Virtual Tunnel: Select this option if your scanner is on-premises.
5. Click Save and Verify.
What Tripwire Items does Cisco Vulnerability Management Import?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
Tripwire IP360 Field |
Cisco Vulnerability Management Field |
Notes |
---|---|---|
AppName or AppID |
Application Name |
|
Audit_id |
scan_type |
If the scan_type is a partial scan, Cisco Vulnerability Management will disable the auto-closing feature for vulns that do not appear in the export. For all vulns that appear in the scan we will update their status. For vulnerabilities that do not appear, Cisco Vulnerability Management will not auto-close them. This is to prevent false auto-closures. |
Vuln > name |
Name |
|
vuln_id |
Identifier (Vulnerability) |
|
vdescription |
Description |
|
|
Vulnerability Status |
Only maps Open, Closed vulnerabilities. |
cves |
CVE |
|
port |
Ports |
|
-N/A- |
Last Seen |
Cisco Vulnerability Management does not receive an explicit last seen date. We take the date of the connector run with the vulnerability present and utilize that datestamp as the Last Seen date. |
end_date |
Found On |
|
-N/A- |
Closed |
Cisco Vulnerability Management does not receive an explicit Closed status from Tripwire. With the vulnerability export reports, any previously identified vulnerabilities that are no longer present (in a full scan) will be auto-closed as remediated. |
-N/A- |
Created |
Date the vuln was first imported to Cisco Vulnerability Management. Not mapped to a Qualys field. |
os_vendor |
OS |
If OS_Vendor hash is filled with “UNKNOWN_OS” we will remove this data and leave a null field rather than importing the asset with OS as “unknown_os” |
hostname |
hostname |
If locators hash is filled with “UNKNOWN_HOSTNAME” we will remove this data and leave a null field rather than importing the asset with hostname as “unknown_hostname” |
ip |
ip_address |
|
netbiosname |
netbios |
|
persistent_id |
External Host ID |
|
-N/A- |
Tags |
There are no tags or tag references for Tripwire |
Optional Settings
The following settings can be enabled on the backend for Tripwire Connectors. To have these settings enabled, or for more information, contact Cisco Support, or your Customer Success Engineer.
Exclude Informationals
- When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
Skip Tags
- This setting enable you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.
Ignore Scanner Last Seen Time
- If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
Tag Reset
- This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
- If you have created any manual tags or any tags were created based on metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
Custom Ordered Locators
- Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
Common Reasons for Tripwire Connector Run Failures
- Bad Credentials. If you enter the incorrect connector credentials during the connector setup, we will not have access to the Tripwire environment to make the API calls.
- If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright
- If an API call fails (no data available, or other reasons)
-
If Cisco Vulnerability Management receives data that is not in the expected format and it cannot process it, the connector will fail.
-
If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector Run
Additional Assistance:
Contact Cisco Support if you require any additional assistance with the Tripwire Connector.
Comments
Please sign in to leave a comment.